You have made sure it can't connect to the net, right? It's compromised, and the scammers will be dialling into it and doing stuff every time it comes online.

You should do the most destructive possible reinstall. If you go too far & break it then you can drop it into a PC repair shop and they can install a fresh copy of Windows for you - a minor inconvenience - but if you don't go far enough your sister will have Ukrainian (probably ) criminals reading her emails forever.

Karl wrote:You have made sure it can't connect to the net, right? It's compromised, and the scammers will be dialling into it and doing stuff every time it comes online...

I did fear that . Could they do so even though the machine has been reset and Windows updated?

Karl wrote:...You should do the most destructive possible reinstall. If you go too far you can drop it into a PC repair shop and they can install a fresh copy of Windows for you...

Yeah, I anticipate that I'm gonna have to restart this whole process (two and a half hours so far ) and select the TPM delete option... which may screw things up completely, meaning that, yeah, I need to take the machine to a shop. Oh, well, I'll see how's this Windows update process finishes first.

It's possible those encrypted files were a vulnerability that the scammer installed that they decrypt and encrypt when they access the machine remotely using some other vulnerability they installed (I doubt it's simply Remote Desktop), in order to run them. They could also have been set to hidden and iirc encrypted files don't appear in window explorer at all, you have to access them with a decryption app.

There was obviously some Java or JavaScript or flash or some other security vulnerability on the phishing site they visited so make sure they don't visit it again. Firefox and chrome both have their own bad website / malware flagging that should help and they should be up to date. Also update Java and Flash.

Hopefully if the backdoor has been removed or at least part of the chain is dead.

Death's Head wrote:What advantages does Norton give over Windows Defender?

I'm off the pace with PC technology, but I did a search and found this from 2016:

Independent AV testing labs like AV-Comparatives, AV-Test Institute and Dennis Technology Labs are good source for comparing the performance of different AV programs. If you look at AV-Test Institute's Feb 2015 comparative tests for Windows 8/8.1 AVs for Home Users, for example, you will see that Windows Defender 4.6 had the lowest score (0/6) for malware detection with a detection rate of 74% for their reference set of malware (over 12,000 samples) compared to Norton Security 2015 which scored 6/6 with a detection rate of 99%.

I think a paid-for antivirus software can be an OK investment if the laptop is being used by someone completely tech-illiterate and unwilling to put even slight, cursory effort into defending themselves. I wouldn't choose Norton or McAfee though because they're really bloated. Maybe Kaspersky or the pro version of Malwarebytes?

For anyone who knows how a computer works Windows Defender is fine. If you run Firefox with decent security extensions (uBlock, NoScript) and don't regularly fileshare then I think you probably won't ever even need to use Windows Defender. This doesn't sound like it's the case for your sister though.

Part of the reason I use Linux is so I don't ever have to worry about any of this nonsense.

I think generally it is a case of what type of hammer is appropriate. You need a pin hammer to set a picture hook, you need a sledgehammer to smash through a wall.

If it's a noob and fall for stuff like this, provide that person with adequate defense. If they're savvy and will stop to think twice about visiting 214124.norton.web.uk.scamlol and then entering all their stuff and talking to someone asking for £400 to unhack their IP connected CD rom drive then MSE is fine.

I don't blame you for recommending Norton. It's ironic however that the brand in this case made them blind to a scammers that exploit the idea, "If it says Norton on it then I'm safe, shut up and take my money".

Obviously glad your sister called you and it's fortunate the scammer asked for such a ridiculous amount of money. It's kind of insulting they thought your sister was that stupid though (or they wouldn't have proceeded), and good therefore that she called you.

It's scary because this can easily lead to things like encrypted system files, disk deletion of sentimental or valuable things or identify theft and credit/debit card fraud.

I would full format the disk and reinstall Windows from a disk however. I only say that because for me it doesn't seem to be a pain to do so, doing this stuff for family and friends etc is a right pain in the arse because they just never learn. You've probably spent hours faffing around with it but you can't fix your general computer user's vulnerability to psychological exploits. Sorting it out while knowing it'll probably happen again is the dread of working with computers.

(case in point, I have an ex boss who still asks me for passwords I provided in database when I left 4 strawberry floating years ago because they can't keep their gooseberry fool together and every single time they ask me to email it to them they create a security risk)

Jawa - one thing you must warn your sister about is that if she gets a call from "the IT department", just be sensible and if she can't do that, just put the phone down. I get these calls a ridiculous amount of times. I used to play along for a while but it just became such a waste of time. Most of the time it sounds so scripted it is unbelievable they get any money from anyone. Last time I got a call I said "you don't really think I'm going to think you are from my IT department do you?". The response was "shut up" and the woman put the phone down. Next time someone calls me (assuming it is a woman) I'm going straight in with "what are you wearing.....". Free sex line FTW.

There are some great videos on YouTube of software engineers etc getting scammers to remote into a virtual machine of Windows or evne Linux or something and still try to "fix the problems" as if it is Windows (they can't even tell they're in Linux) and when they're called up on it they get all offended and try to claim they are offering a legit service despite getting their leads from phishing sites and trying to charge ££££ for fixing a made up problem. It's really surreal. In this one the scammer tries to claim that he is himself being scammed and the guy just does this make teh monies from youtubes (after the reveal).

Here's another one in a VM where the scammer doesn't even realise it isn't a real machine, this time a woman on the fake tech support hotline who tries to nuke the computer at the end by encrypting the entire system: